The OpenNET Project
 
Search (keywords):  SOFT ARTICLES TIPS & TRICKS SECURITY
LINKS NEWS MAN DOCUMENTATION


CERT Advisory CA-98.12 - mountd


<< Previous INDEX Search src Set bookmark Go to bookmark Next >>
Date: Mon, 12 Oct 1998 17:50:33 -0400
From: CERT Advisory <[email protected]>
To: [email protected]
Subject: CERT Advisory CA-98.12 - mountd

-----BEGIN PGP SIGNED MESSAGE-----


CERT* Advisory CA-98.12 Original issue date: October 12, 1998 A complete revision history is at the end of this file. Topic: Remotely Exploitable Buffer Overflow Vulnerability in mountd - ------------------------------------------------------------------------ Affected systems: NFS servers running certain implementations of mountd, primarily Linux systems. On some systems, the vulnerable NFS server is enabled by default. This vulnerability can be exploited even if the NFS server does not share any file systems. See Appendix A for information from vendors. If your vendor's name does not appear, we did not hear from that vendor. Overview: NFS is a distributed file system in which clients make use of file systems provided by servers. There is a vulnerability in some implementations of the software that NFS servers use to log requests to use file systems. When a client makes a request to use a file system and subsequently makes that file system available as a local resource, the client is said to "mount" the file system. The vulnerability lies in the software on the NFS server that handles requests to mount file systems. This software is usually called "mountd" or "rpc.mountd." Intruders who exploit the vulnerability are able to gain administrative access to the vulnerable NFS file server. That is, they can do anything the system administrator can do. This vulnerability can be exploited remotely and does not require an account on the target machine. On some vulnerable systems, the mountd software is installed and enabled by default. See Appendix A for more information. We will update this advisory as we receive additional information. Please check our advisory files regularly for updates that relate to your site. - ------------------------------------------------------------------------ I. Description NFS is used to share files among different computers over the network using a client/server paradigm. When an NFS client computer wishes to access files on an NFS server, the client must first make a request to mount the file system. There is a vulnerability in some implementations of the software that handles NFS mount requests (the mountd program). Specifically, it is possible for an intruder to overflow a buffer in the area of code responsible for logging NFS activity. We have received reports indicating that intruders are actively using this vulnerability to compromise systems and are engaging in large-scale scans to locate vulnerable systems. On some systems, the vulnerable NFS server is enabled by default. See the vendor information in Appendix A. II. Impact After causing a buffer overflow, a remote intruder can use the resulting condition to execute arbitrary code with root privileges. III. Solution A. Install a patch from your vendor. Appendix A contains input from vendors who have provided information for this advisory. We will update the appendix as we receive more information. If you do not see your vendor's name, the CERT/CC did not hear from that vendor. Please contact your vendor directly. B. Until you install a patch, use the following workaround. Consider disabling NFS until you are able to install the patch. In particular, since some systems have vulnerable versions of mountd installed and enabled by default, we recommend you disable mountd on those systems unless you are actively using those systems as NFS servers. - ------------------------------------------------------------------------ Appendix A - Vendor Information Below is a list of the vendors who have provided information for this advisory. We will update this appendix as we receive additional information. If you do not see your vendor's name, the CERT/CC did not hear from that vendor. Please contact the vendor directly. Caldera ======= Caldera provided a fixed version as nfs-server-2.2beta35-2 on Aug 28. It is available from ftp://ftp.caldera.com/pub/OpenLinux/updates/1.2/013 10fdb82ed8fd1b88c73fd962d8980bb4 RPMS/nfs-server-2.2beta35-2.i386.rpm 59e275b1ed6b98a39a38406f0415a226 RPMS/nfs-server-clients-2.2beta35-2.i386.rpm 6b075faf1d424e099c6932d95e76fd6b SRPMS/nfs-server-2.2beta35-2.src.rpm Compaq Computer Corporation
SOURCE: (c) Copyright 1994, 1995, 1996, 1997, 1998 Compaq Computer Corporation. All rights reserved. SOURCE: Compaq Computer Corporation Compaq Services Software Security Response Team USA x-ref: SSRT0574U mountd This reported problem is not present for the as shipped, Compaq's Digital ULTRIX or Compaq's Digital UNIX Operating Systems Software. - - Compaq Computer Corporation Data General Corporation
We are investigating. We will provide an update when our investigation is complete. FreeBSD, Inc. ============= FreeBSD 2.2.6 and above seem not be vulnerable to this exploit. Fujitsu Limited =============== Fujitsu's UXP/V operating system is not vulnerable. Hewlett-Packard Company
Not vulnerable. NCR === NCR is not vulnerable. We do not do any of the specified logging, nor do we have mountd (or normally anything else) hanging on port 635. The NetBSD Project
NetBSD is not vulnerable to this attack in any configuration. Neither the NFS server or mount daemon are enabled by default. The OpenBSD Project
OpenBSD is not affected. Red Hat Software, Inc.
All versions of Red Hat Linux are vulnerable, and we have provided fixed packages for all our users. Updated nfs-server packages are available from our site at http://www.redhat.com/support/docs/errata.html The Santa Cruz Operation, Inc.
No SCO platforms are vulnerable. Sun Microsystems, Inc.
Sun's mountd is not affected. - ------------------------------------------------------------------------ Contributors Our thanks to Olaf Kirch and Wolfgang Ley for their input and assistance in constructing this advisory. - ------------------------------------------------------------------------ If you believe that your system has been compromised, contact the CERT Coordination Center or your representative in the Forum of Incident Response and Security Teams (see http://www.first.org/team-info/). CERT/CC Contact Information - --------------------------- Email [email protected] Phone +1 412-268-7090 (24-hour hotline) CERT personnel answer 8:30-5:00 p.m. EST(GMT-5) / EDT(GMT-4) and are on call for emergencies during other hours. Fax +1 412-268-6989 Postal address: CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 USA Using encryption We strongly urge you to encrypt sensitive information sent by email. We can support a shared DES key or PGP. Contact the CERT/CC for more information. Location of CERT PGP key ftp://ftp.cert.org/pub/CERT_PGP.key Getting security information CERT publications and other security information are available from http://www.cert.org/ ftp://ftp.cert.org/pub/ To be added to our mailing list for advisories and bulletins, send email to [email protected] In the subject line, type SUBSCRIBE your-email-address - ----------------------------------------------------------------------- Copyright 1998 Carnegie Mellon University. Conditions for use, disclaimers, and sponsorship information can be found in http://www.cert.org/legal_stuff.html and ftp://ftp.cert.org/pub/legal_stuff. If you do not have FTP or web access, send mail to [email protected] with "copyright" in the subject line. * CERT is registered in the U.S. Patent and Trademark Office NO WARRANTY Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement. - ------------------------------------------------------------------------ This file is at: ftp://ftp.cert.org/pub/cert_advisories/CA-98.12.mountd Also posted on the USENET newsgroup comp.security.announce - ------------------------------------------------------------------------ Revision History -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBNiJtPXVP+x0t4w7BAQHGsgQAjXSJok3AtIK0rlsK9JClEfr4G+xCed4U QzBSl9CMw0kGpoEInyKdyog03u60B2B8jBwaDesRDLX47eO5YAxngEVBeQTy3lVi tIbbjTQwhWXK9nYS3+qSNdBohFqxnL5neXwJbwDsytTfI0qY17xMdm9aIIf61bD0 RbybGlYldr0= =eLqH -----END PGP SIGNATURE-----

<< Previous INDEX Search src Set bookmark Go to bookmark Next >>



Партнёры:
PostgresPro
Inferno Solutions
Hosting by Hoster.ru
Хостинг:

Закладки на сайте
Проследить за страницей
Created 1996-2024 by Maxim Chirkov
Добавить, Поддержать, Вебмастеру